| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| GenX_FX is an advance IA trading platform that will focus on forex trading. A vulnerability was identified in the GenX FX backend where API keys and authentication tokens may be exposed if environment variables are misconfigured. Unauthorized users could gain access to cloud resources (Google Cloud, Firebase, GitHub, etc.). |
| A vulnerability was detected in slackero phpwcms up to 1.9.45/1.10.8. The impacted element is an unknown function of the file include/inc_module/mod_feedimport/inc/processing.inc.php of the component Feedimport Module. Performing manipulation of the argument cnt_text results in deserialization. The attack can be initiated remotely. The exploit is now public and may be used. Upgrading to version 1.9.46 and 1.10.9 is sufficient to resolve this issue. The patch is named 41a72eca0baa9d9d0214fec97db2400bc082d2a9. It is recommended to upgrade the affected component. |
| IBM Watson CP4D Data Stores 4.0.0 through 4.8.4 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 264838. |
| Dell OpenManage Enterprise, versions 3.10, 4.0, 4.1, and 4.2, contains an Insertion of Sensitive Information into Log File vulnerability in the Backup and Restore. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure. |
| A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider. |
| Multiple Brother driver installers for Windows contain a privilege escalation vulnerability. If exploited, an arbitrary program may be executed with the administrative privilege. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References]. |
| CWE-59: Improper Link Resolution Before File Access ('Link Following') vulnerability exists that could cause
arbitrary data to be written to protected locations, potentially leading to escalation of privilege, arbitrary file
corruption, exposure of application and system information or persistent denial of service when a low-privileged
attacker tampers with the installation folder. |
| VaulTLS is a modern solution for managing mTLS (mutual TLS) certificates. Prior to 0.9.1, user accounts created through the User web UI have an empty but not NULL password set, attackers can use this to login with an empty password. This is combined with that fact, that previously disabling the password based login only effected the frontend, but still allowed login via the API. This vulnerability is fixed in 0.9.1. |
| @backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. Prior to version 2.1.1, duplicate logging of the input values in the fetch:template action in the Scaffolder meant that some of the secrets were not properly redacted. If ${{ secrets.x }} is not passed through to fetch:template there is no impact. This issue has been resolved in 2.1.1 of the scaffolder-backend plugin. A workaround for this issue involves Template Authors removing the use of ${{ secrets }} being used as an argument to fetch:template. |
| IBM Security Verify Bridge Directory Sync 1.0.1 through 1.0.12, IBM Security Verify Gateway for Windows Login 1.0.1 through 1.0.10, and IBM Security Verify Gateway for Radius 1.0.1 through 1.0.11
stores potentially sensitive information in log files that could be read by a local user. |
| 2BrightSparks SyncBackFree Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of 2BrightSparks SyncBackFree. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. User interaction on the part of an administrator is also required.
The specific flaw exists within the Mirror functionality. By creating a junction, an attacker can abuse the service to delete arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-26962. |
| Dell Digital Delivery, versions prior to 5.6.1.0, contains an Insufficiently Protected Credentials vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to Information Disclosure. |
| G DATA Total Security GDBackupSvc Service Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of G Data Total Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the GDBackupSvc service. By creating a symbolic link, an attacker can abuse the service to create a file with a permissive DACL. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-20694. |
| IBM Analytics Content Hub 2.0, 2.1, 2.2, and 2.3 is vulnerable to information exposure and further attacks due to an exposed JavaScript source map which could assist an attacker to read and debug JavaScript used in the application's API. |
| IBM Storage Virtualize vSphere Remote Plug-in 1.0 and 1.1 could allow a remote user to obtain sensitive credential information after deployment. |
| IBM Aspera Console 3.4.0 through 3.4.4 allows passwords to be reused when a new user logs into the system. |
| IBM Sterling Control Center 6.2.1, 6.3.1, and 6.4.0 allows web pages to be stored locally which can be read by another user on the system. |
| IBM Maximo Application Suite - Maximo Mobile for EAM 8.10 and 8.11 could disclose sensitive information to a local user. IBM X-Force ID: 266875. |
| Malwarebytes Antimalware Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Malwarebytes Antimalware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the Malwarebytes service. By creating a symbolic link, an attacker can abuse the service to delete a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-22321. |
| MedDream WEB DICOM Viewer Cleartext Transmission of Credentials Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of MedDream WEB DICOM Viewer. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the Web Portal. The issue results from the lack of encryption when transmitting credentials. An attacker can leverage this vulnerability to disclose transmitted credentials, leading to further compromise. Was ZDI-CAN-25842. |
